The main concern about this method is that such file is not independently reproducible. This may be worrying for some more paranoid folks. On Fri, Feb 15, 2019 at 6:04 AM Darren Tucker <dtucker@xxxxxxxxxxx> wrote: > > On Fri, 15 Feb 2019 at 13:21, Yegor Ievlev <koops1997@xxxxxxxxx> wrote: > > Also, how are default moduli shipped with OpenSSH for use in > > diffie-hellman-group-exchange-sha1/sha256 chosen? Are they chosen > > randomly by developers or are they chosen for security properties? > > A bit of both. They're generated using ssh-keygen(1) in a 2 step > process (look for the -G and -T options). For each group size, > candidates are picked at random and then screened (see > https://github.com/openssh/openssh-portable/blob/master/moduli.c). > > > If they are random, why not use moduli from RFC 7919 instead, like > > Mozilla recommends? > > Quoting RFC4419 (which predates 7919 by more than a decade): > """ > we fear that extensive precomputation and more efficient > algorithms to compute the discrete logarithm over a fixed group might > pose a security threat to the SSH protocol. > The ability to propose new groups will reduce the incentive to use > precomputation for more efficient calculation of the discrete > logarithm. The server can constantly compute new groups in the > background. > "" > > Using a small, fixed set of groups shared with another protocol would > be counter to this goal (see also: LogJam and the Oakley groups). > You're welcome to replace your file with the ones from RFC7919, > though. > > -- > Darren Tucker (dtucker at dtucker.net) > GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev